Power Toys May Compromise Security

Microsoft Power Toys have always been a favorite set of utilities. They were originally
simple tools that the Microsoft development team put together for their own use. Microsoft
released them under a use-at-your-own-risk policy. As it turns out, there is one good
reason to exercise caution with them-they could allow someone to access your computer and
bypass network security.

Tweak UI is one of the Power Toys. As its name alludes, it allows you to tweak the User
Interface. In fact, it is one of the earliest forms of the System Policy Editor,
being a GUI tool to manipulate Registry values. With Tweak UI, you can modify how Windows
95 (and NT 4.0) boots, which icons appear on the desktop and a host of other useful
functions. One of the most popular features is the Paranoia tab which allows you to
clear the MRU (most recently used) lists on shut down. This feature is now included with
the IE4.0 desktop upgrade (in fact many of the Tweak UI functions have been integrated
into the IE4.0 upgrade). You can clear out the MRU document files, for instance, so that
no one can go to your computer (or view your Registry remotely) in order to see what
you've been working on.

One of the Paranoia tab settings is Clear Last Known User Logon. Normally, Windows
displays the name of the last user to logon to your computer. Sometimes administrators
will want this value blank so end-users don't know the administrator's logon name. In some
cases, user names need to be as secure as their passwords. Unfortunately, the Registry
change that Tweak UI makes can interfere with Policies requiring network validation for
access to the computer. Therefore, a user may bypass network validation and gain access to
your computer.

Network security is not compromised, but local security (the reason you wanted that
Policy in place) is bypassed. The only way to prevent this from happening is to remove
Tweak UI from your system or disable the conflicting setting. You can remove Tweak UI
through Add/Remove Programs.

Disable the setting through the Tweak UI interface:

Control Panel-Tweak UI-Paranoia

Clear the Clear Last User Logon checkbox. Click OK.

Restart Windows.

Of course, if you want to throw caution to the wind and download the Power Toys, you
can find them on Microsoft's web site at Windows
95 PowerToys Set. Download them into a temporary folder and right-click the INF file
for the applet you wish to install, and select Install. The applet, in most cases, creates
an applet in your Control Panel. As we mentioned earlier a number of their functions have
been superceded by the Internet Explorer 4.0 Desktop Upgrade, so you should consider the
merits of each before you install.